Why use VLAN's?

[Digital-Vortex]

Hey everyone,
Going through a fun phase of relearning the subjects I've forgotten with years of never needing it. Todays subject is VLAN's.

So I understand the idea of VLANS to keep networks separate and not allow broadcasting between each other and tagging and trunking and all that.
What I don't get yet is the point.

Sure I can see why separating network parts like VOIP, ISCSI, and the data makes sense as you wouldn't want your data network causing issues with your VOIP. Plus VLAN's save cost on hardware. But would you use it within the data network?

For example servers separate from workstations, or departments in an office on separate VLANS?

Appreciate any input as its the only part I cant get my head round.

 

[Liger88]

I think the term you're missing is, "SECURITY". Using VLAN's adds another layer of security to an existing network without the addition of extra hardware or cost associated with such. Understanding how VLAN's work and when to use them are two different topics as you rightfully question. When you understand them the first thing you want to do is VLAN everything lol, but it isn't appropriate and sometimes can add unnecessary complexity to the current network design.

By separating the network with VLAN's you are inherently segregating the traffic so VLAN A cannot see, sniff, or communicate with VLAN B without a Router/Layer 3 Switch explicitly allowing the communication, even if they are using the same physical hardware. The way you look at it is each port on a switch can technically become its own LAN. I'll say: Flexibility and Security.

/me passes the hot potato

 

[Dark Shade]

But would you use it within the data network?

For example servers separate from workstations, or departments in an office on separate VLANS?

Appreciate any input as its the only part I cant get my head round.

Another good reason is the 'rule of thumb' regarding maximum end devices on a network. Broadcasts turn into nightmares much higher above 500 IPs in a single subnet. Segregating VLANs into multiple data subnets mitigates this issue. For instance, we currently use 3 different subnets for 3 different ways to access our data network (3 wired, 3 guest wireless and 3 corporate wireless) all in their own respective /24's. There's never more than 254 hosts per each VLAN, and they are all routable to each other via the switch (Layer 3 switch, if you have a layer 2 switch then you can have them routable via the router/firewall). 254 possible broadcast endpoints are much easier to manage on the switch than 512+.

 

[Digital-Vortex]

Yea, I can see all the points being made and I think its starting to click in.

 

[timberdoodle]

If your question is, "Can I just plug in all my unmanaged switches and have a successful network?" Probably.

VLANs add all the great features mentioned. If I want to setup a guest or second wifi network. VLANs. I don't want folks to be able to view some unencrypted traffic such as vmotion, VLANs. I want to organize my environment using VLSM, VLANS. I am a conglomerate company but some employees share an office space. They shouldn't see each others files - VLANS.

Could you get by using other means, yes. For a small business you may never have added value of a vlan. It is a huge benefit for anyone that knows how to use them.

 

[green91]

I use them for several reasons.

1) Cisco recommends not having >512 devices in a broadcast domain. I use VLANs create multiple domains to keep overall broadcast traffic down.

2) logical separation - for instance, imagine you have 2 networks you want to provide access to wirelessly. you could have two networks - SSID "Secure" that is tied to your production network, and a SSID "Guest" for open access. If you're using an AP that supports 802.1q you can do this over 1 cable with 1 AP.

3) sometimes i have devices that don't need WAN connectivity or accessibility from the production network -- like security cameras for instance.

Really the possibilities are limitless. I work in an environment where we literally have 100's of VLANs.

Even at home I have several VLANs.

 

[tangoseal]

You answered your own question OP LOL.. no need to answer it further. You already know the answers.

I for one do not want an enture switch per LAN especially when switches can cost $5K-$10K each. Screw that. I am going to use a VLAN.

I have like 15 Hosts on my home network, far from a maxed out broadcast domain, and I still use VLAN religiously.

 

[Jay_2]

there is also the fact that a mistake causing a broadcast storm or a DHCP issue won't take down your entire network.

 

[slapyomoma]

depending on the size, isolating your network can be a supreme ideal. for instance, if you know there's a virus on one part of your network, you can shut it off from your entire network until resolved. file security is also something that can benefit from a separate VLAN.